Cross-Site Scripting most vulnerable among web apps

About 65% of discovered vulnerabilities had medium risk, with 20% having high risk.

Cross-Site Scripting (XSS) was the most common vulnerability in web applications found during the first half of 2013, followed by SQL Injection and Cross-Site Request Forgery, a new report has found.

High-Tech Bridge Security Research Lab’s latest web application security report revealed that during the initial six months, about 65%of discovered vulnerabilities had medium risk, with 20% having high risk.

About 95% of vendors launched security fixes prior to the public revelation of vulnerabilities, while vendors were able to roll out security patches within three weeks after being notified about discovered vulnerability.

High-Tech Bridge chief research officer Marsel Nizamutdinov said that security researchers have to work hard to find vulnerabilities in well-known web applications.

"First of all, code of such web applications has been developed for many years and is quite mature today," Nizamutdinov said.

"It does not contain many security flaws, simply because security researchers found almost everything during the past years.

"New functionality brings new vulnerabilities, however the code, quite often consisting of millions of lines, is quite difficult to analyse because of its complicated structure."

The security firm also revealed that critical vulnerabilities in web applications have reduced significantly, compared to 2003, when almost all PHP applications were vulnerable to PHP include or SQL injection attacks.

"As our statistics shows, the most prevalent vulnerability is XSS, which many web developers still fail to avoid," Nizamutdinov added.

"However, it doesn’t mean that critical vulnerabilities have disappeared – they just became more complicated to find and more sophisticated to exploit.